With a host of new and upgraded security features, Microsoft’s new OS is designed to make the effort of Windows 10 migration worthwhile. But in addition to the time and resources required for deployment, it also demands a new mindset—one focused more on control than flexibility. Given the current climate in which cyberattacks and malware are increasingly pervasive, this shift is absolutely necessary. Windows 10 was developed around a protect, detect, and respond framework that carefully considers and addresses the multitude and complexity of security threats.

That said, you don’t deploy the new OS and then it just works, making your network instantly more secure. There is a bit more to it. To fully leverage all that Windows 10 offers, consider the following:

No Single Configuration Works for All

In the enterprise, there are a seemingly endless number of endpoints to secure, particularly considering the whole bring-your-own-device (BYOD) movement. There is no way to set a single configuration that will work for everyone on staff on every device. You therefore have to pick and choose a bit. Think about how the device will be used, and by whom, in order to protect it according to its potential risk and value. For example, you want to assert more control over information workers than someone who works in marketing, and given the recent trend of supply chain attacks (think CCleaner or NotPetya) where developers were targeted in order to get bad things published, you should probably consider tightening controls for developers as well.

You not only need separate credentials for team members based on their role, you also need them based on what device or machine they are using. Why? Do you really want your employee’s mobile phone that’s used to surf the internet and exposed to multiple risk factors to be the same device that handles domain administration? You need some type of separation, but you don’t want to have thousands of unique configurations either. Talk about a nightmare to manage! In reality, you’re probably looking at the neighborhood of three to seven configurations, depending on the size or complexity of your organization.

The best place to start is by removing more admin rights. In determining configurations per employee per device, again consider the user, mechanism, and intent. This may be an iterative process, and that’s ok. The key is to be thoughtful about it—and perhaps err on the conservative side.

Software Is Bad Until Proven Otherwise

Then comes the issue of which software and apps can run on which machines and devices. Here is where a major shift in approach is required. Instead of extending the trust that all software is good until proven otherwise, as we have since about 2006, IT administrators now must operate as though all software is bad until determined to be good. Microsoft understands this and baked it into Windows 10 accordingly.

Windows 10 allows you to establish layers of defenses for whitelistings, or the list of items that are granted access to a certain system. The first layer is cloud control. This means that if you exist in the reputation service as software that’s well known, that’s used frequently enough, and not discovered to be bad behaviorally, it will be auto edited to your whitelist. As such, you don’t have to add an entry at all. Just plug into the cloud and let the reputation in the cloud drive it.

The next layer is AppLocker. According to Microsoft: “AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.” Basically, if the admin puts it there, it’s considered safe. Not so if it’s the user, email client, or browser. You can create those rules, which will make your life much easier in the long run. Then comes managed installer. This essentially says that if you deploy software with Configuration Manager and that drops it down, it will be marked as good and added to the whitelist. Admins can also manually install and maintain explicit control.

There are a lot of layers here, but as such, they provide protection, and each is relatively easy to set up. Again, this can be an iterative process.

It Doesn’t Stop With Deployment and Configuration

You’ve gone through the time, expense, and trouble of configuring and deploying the new OS and establishing new rules for software. It’s now essential for you to maintain your systems. Microsoft consistently issues updates, as do software providers and app developers. To take advantage, you have to make sure new security features get turned on and fixes occur throughout your network. This is where you will see the most value and return on your investment.

Develop a plan for deploying those updates to every machine and device. This could mean devoting staff to the issue or opting for an automated solution that takes care of all of it for you. The updates simply have to happen in a timely manner or else you put your network at risk and everything to this point is for naught. No one wants that.

In the grand scheme, the move to Windows 10—and the broader shift in mindset—is a big deal, so don’t expect to get everything 100% right from the start. But as you learn, take advantage of the Windows 10 framework to make adjustments. Consider what you can fix right now, in three months, and on down the road. You don’t need to make such drastic changes that your end users can’t do their jobs at the end of the day. Just keep moving forward and leverage the security baselines Microsoft has established as you go.